North Korean Hackers Infiltrate Crypto Space with US Shell Companies—Targeting Developers

Lazarus Group strikes again—this time hiding behind American LLCs to phish crypto talent. Because why hack exchanges when you can just LinkedIn-pivot into devs’ DMs?

Operation ’Silicon Smoke Screen’: Pyongyang’s cyber-army registers Delaware shell companies, masquerades as legit recruiters. Their weapon of choice? Fake job offers dripping with USDC salary promises.

Security sleuths trace malware-laced Zoom invites to ’San Francisco-based’ startups—turns out their HQ is a virtual mailbox. Another reminder that in crypto, if an offer looks too good to be true, it’s probably a nation-state attacker.

Meanwhile, Wall Street still thinks blockchain security means writing passwords on Post-its. Priorities.

Scam Job Offers, Empty Lots, and Malware

Silent Push attributed the operation to a subgroup within the Lazarus Group, a state-sponsored hacking unit operating under North Korea’s Reconnaissance General Bureau. The group is known for its role in high-profile cyber thefts and espionage activities.

In this campaign, the hackers used fake professional profiles and job postings to approach developers, primarily on platforms such as LinkedIn. Once contact was made, victims were invited to “interviews” where they were encouraged to download malware disguised as hiring software or technical assessments.

Blocknovas was the most active entity, with multiple confirmed victims. Its listed physical address in South Carolina was found to be an empty lot. Meanwhile, Softglide was registered through a Buffalo-based tax preparation service, which further complicated efforts to trace those behind the operations. The malware used included strains previously attributed to North Korean cyber units, capable of data theft, remote access, and further network infiltration.

The FBI has seized the Blocknovas domain, with a notice on its website indicating it was used to deceive job seekers and spread malware.

North Korean Malware Trap

The Lazarus Group has repeatedly exploited fake employment opportunities to deliver malware. For instance, it had launched a cyber campaign called “ClickFix” targeting job seekers in the centralized finance (CeFi) crypto sector. Cybersecurity firm Sekoia recently revealed that the group impersonates companies like Coinbase and Tether to lure marketing and business applicants into fake interviews.

One of Lazarus’s biggest crypto thefts came in 2021, when a bogus job offer led to the $625 million Ronin Bridge hack targeting Axie Infinity.